What Is Personal Data?
Under the GDPR, personal data is any information connected to a living individual who can be identified—either directly or indirectly—using identifiers such as names, ID numbers, online identifiers, or attributes related to their physical, cultural, or social identity. Simply put, if you can determine who someone is based on the information you have, it qualifies as personal data.
Applicability of the UK GDPR
The GDPR governs the following types of data processing:
Data processed by automated means – For example, electronically stored and managed information.
Data forming part of a filing system – This includes manually handled data that is structured to allow easy retrieval.
While determining whether you handle personal data is straightforward in most cases, certain instances may require careful analysis to confirm whether the GDPR applies.
Special Category Data
Some types of data are deemed more sensitive and warrant stricter protection. These are referred to as special category data and include details about an individual’s:
Race or ethnic origin
Political opinions
Religious or philosophical beliefs
Trade union membership
Genetic information
Biometric data (when used for identification)
Health
Sexual orientation or sex life
Additionally, information concerning criminal convictions and offences is subject to similar stringent safeguards.
Handling Unstructured Paper Records
The UK GDPR primarily addresses data that is electronically stored or systematically organised. However, the Data Protection Act 2018 (DPA 2018) extends personal data protections to unstructured manual records held by public authorities.
This ensures such records are appropriately safeguarded for requests under the Freedom of Information Act 2000. Although these records are exempt from most GDPR principles, they still require attention to ensure their confidentiality and integrity.
Distinguishing Between Pseudonymisation and Anonymisation
Pseudonymisation
Pseudonymisation involves replacing identifying elements within data with coded references, ensuring individuals are not immediately recognisable. For instance, names might be substituted with reference numbers, and the key to decode these references is stored separately. While this reduces risks and aids compliance, pseudonymised data is still classified as personal data since it remains possible to re-identify individuals with additional information.
Example: A courier company anonymises driver data for fleet efficiency analysis. Although the data is pseudonymised, the company retains the ability to re-identify drivers using additional records, keeping the data under GDPR regulation.
Anonymisation
By contrast, anonymisation ensures individuals cannot be identified under any circumstances, rendering the data outside the scope of the UK GDPR. Achieving true anonymisation can be challenging, as any reasonable possibility of re-identification invalidates the process. It’s essential to ensure anonymisation is robust, as improperly anonymised data remains subject to GDPR
rules.
Note: The act of anonymising data itself constitutes data processing under GDPR.
Data Concerning Deceased Individuals
GDPR applies only to living individuals. Information related to deceased persons falls outside its scope, though other laws may regulate such data.
Information About Legal Entities
GDPR does not consider data about legally recognised entities, such as limited companies, to be personal data. However, information about individuals within these organisations—such as sole traders, directors, or employees—can qualify as personal data if it identifies them as individuals.
For example, a person’s name and corporate email address would fall under GDPR if linked to their identity.
Key Takeaways
To determine whether the UK GDPR applies to your data:
Can an individual be identified from the data, alone or combined with other details?
Does the information relate to their private or professional identity?
Could the data be re-identified despite anonymisation efforts?
Answering these questions ensures you categorise your data correctly and apply the appropriate level of protection. By understanding and adhering to UK GDPR principles, you can safeguard individuals’ privacy while maintaining compliance with data protection laws.
Comments